locked
Session ID Not Updating after Session.Abandon call RRS feed

  • Question

  • User-1871023568 posted

    Hi,

       I am trying to update Session ID after every successful login by user. For that I Have abandoned the current Session and redirecting the flow to a middle page and loading the User specific settings there and then redirecting the flow to default page of User. But during this process I observed that the Session ID in not getting updated. I think I am missing something here, but could not recognize what?

    Can someone please Help?

    Thanks in Advance.

    Regards,

    Paramhans

    Monday, July 11, 2011 6:16 AM

Answers

  • User11528697 posted

    Its normal for ASP.Net framework to reuse the session id. Here is what you do to make sure id is not reused.

    Session.Abandon();
    Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

    Here is the link that has why IDs are reused.
    http://support.microsoft.com/kb/899918
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 11, 2011 7:09 AM

All replies

  • User-366017857 posted

    Hi,

    The proper way to create a session variable is:

    Session["VarName"] = value;

    Next to remove an item from the session state:

    Session.Remove("VarName");

    To clear all session variables use:

    Session.Clear();

    Monday, July 11, 2011 6:25 AM
  • User-1871023568 posted

    My intension is to create a new Session After successfull login so as to avoid Cross Site Scripting attacks.

    Monday, July 11, 2011 6:57 AM
  • User11528697 posted

    Its normal for ASP.Net framework to reuse the session id. Here is what you do to make sure id is not reused.

    Session.Abandon();
    Response.Cookies.Add(new HttpCookie("ASP.NET_SessionId", ""));

    Here is the link that has why IDs are reused.
    http://support.microsoft.com/kb/899918
    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, July 11, 2011 7:09 AM
  • User11528697 posted

    If your intention to prevent a cross site scripting attack, then you need to look into standard procedure of using a unique variable stored on page and in session which is compared on post back to make sure you are not being sent replay of previous requests. Search for "CSRF fix for asp.net" in gogle and you will find lot of discussion and code to help you with it.

    Monday, July 11, 2011 7:12 AM
  • User-1871023568 posted

    Thanks for the link. It has resolved my problem.

    Thanks again. 

    Monday, July 11, 2011 9:32 AM